05-27-2009 06:44 AM
Hello,
I have the following issue.... need to load balance traffic between two servers already working in two different subnets (vlans), at this point is highly desirable to avoid changing IP addresses. Is it possible to accomplish this goal using ACE? routed or bridged mode? is it strictly necessary to have all servers belonging to a serverfarm in the same subnet?
Thanks in advanced for your support.
05-27-2009 07:31 AM
Hi,
You can do this, but you have to use client-NAT (Source-NAT) to force the return traffic to pass back through the ACE. You also then need static routes in the ACE context to point at each server. PBR is an alternative approach but I have not implemented that in a live network. The important thing is that the ACE sees both sides of the conversation.
The following extract from a configuration shows the basic principle:
rserver host master
ip address 10.199.95.2
inservice
rserver host slave
ip address 10.199.38.68
inservice
serverfarm host FARM-web2-Master
description Serverfarm Master
probe PROBE-web2
rserver master
inservice
serverfarm host FARM-web2-Slave
description Serverfarm Slave
probe PROBE-web2
rserver slave
inservice
class-map match-any L4VIPCLASS
2 match virtual-address 10.199.80.12 tcp eq www
3 match virtual-address 10.199.80.12 tcp eq https
policy-map type management first-match REMOTE-MGMT-ALLOW-POLICY
class REMOTE-ACCESS
permit
policy-map type loadbalance first-match LB-POLICY
class class-default
serverfarm FARM-web2-Master backup FARM-web2-Slave
policy-map multi-match L4POLICY
class L4VIPCLASS
loadbalance vip inservice
loadbalance policy LB-POLICY
loadbalance vip icmp-reply active
loadbalance vip advertise
nat dynamic 1 vlan 384
service-policy input L4POLICY
interface vlan 383
description ACE-web2-Clientside
ip address 10.199.80.13 255.255.255.248
alias 10.199.80.12 255.255.255.248
peer ip address 10.199.80.14 255.255.255.248
access-group input ACL-IN
access-group output PERMIT-ALL
no shutdown
interface vlan 384
description ACE-web2-Serverside
ip address 10.199.80.18 255.255.255.240
alias 10.199.80.17 255.255.255.240
peer ip address 10.199.80.19 255.255.255.240
access-group input PERMIT-ALL
access-group output PERMIT-ALL
nat-pool 1 10.199.80.20 10.199.80.20 netmask 255.255.255.240 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 10.199.80.9
ip route 10.199.95.2 255.255.255.255 10.199.80.21
ip route 10.199.38.68 255.255.255.255 10.199.80.21
HTH
Cathy
05-27-2009 08:01 AM
Then, I suppose that interface vlan 384 (server side) is also configured in the 6500 since you are forwarding traffic destined to the realservers to IP address 10.199.80.21. Is that correct?
05-27-2009 08:04 AM
Hi,
That is correct.
Kind Regards
Cathy
06-02-2009 04:18 AM
You can use either bridge or routed mode as long as the the vlans are trunked across the ACE interfaces by creating a port channel to carry to carry the trunked vlans.
06-02-2009 08:04 AM
Thanks for the comment.
Actually, I already configured in routed mode using source-nat. Works pretty good.
I just have one doubt, when using "show conn" command I see all the new connection being load-balanced to the servers but after probably only 30 seconds (or less) the connections are no longer listed in that command eventhough the clients are still connected to the servers, is this the right behaviour? what command should be used to see the current connections? I thought that any TCP connection default time out was 3600 seconds (1 hour), should it be explicitly configured using a parameter-map?
Also, if i needed to configure several more serverfarms in order to load-balance other services (tcp, most of them HTTP) is it possible to add more VIPs to my current L4VIPCLASS in order to achieve this goal?
I have the following configuration:
class-map match-all L4VIPCLASS
2 match virtual-address X.X.X.X tcp eq www
policy-map type loadbalance http first-match WEB_POLICY
class class-default
sticky-serverfarm app-ipstky
insert-http x-forward header-value "%is"
policy-map multi-match VIPs
class L4VIPCLASS
loadbalance vip inservice
loadbalance policy WEB_POLICY
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 1 vlan 71
interface vlan 70
ip address A.A.A.A 255.255.255.0
alias B.B.B.B 255.255.255.0
peer ip address C.C.C.C 255.255.255.0
access-group input any
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input VIPs
no shutdown
Regards,
06-02-2009 11:10 PM
Hi,
You need to create more class-maps to match whatever services you load-balance. These can then be added to the existing policy-map. For example:
class-map match-any L4VIPCLASS
2 match virtual-address 10.199.253.188 tcp eq 636
class-map match-any L4VIPCLASS-389
2 match virtual-address 10.199.253.188 tcp eq 389
class-map match-any L4VIPCLASS-636
2 match virtual-address 10.199.253.187 tcp eq 636
class-map match-any L4VIPCLASS-Auth
2 match virtual-address 10.199.253.185 tcp eq 636
class-map match-any L4VIPCLASS-Auth-389
2 match virtual-address 10.199.253.185 tcp eq 389
class-map match-any L4VIPCLASS-Auth-636
2 match virtual-address 10.199.253.186 tcp eq 636
policy-map multi-match L4POLICY
class L4VIPCLASS
loadbalance vip inservice
loadbalance policy LB-POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 395
ssl-proxy server PSERVICE_SERVER
class L4VIPCLASS-389
loadbalance vip inservice
loadbalance policy LB-POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 395
class L4VIPCLASS-636
loadbalance vip inservice
loadbalance policy LB-POLICY-636
loadbalance vip icmp-reply active
nat dynamic 1 vlan 395
ssl-proxy server PSERVICE_SERVER
class L4VIPCLASS-Auth
loadbalance vip inservice
loadbalance policy LB-POLICY-Auth-389
loadbalance vip icmp-reply active
nat dynamic 2 vlan 395
ssl-proxy server PSERVICE_SERVER
class L4VIPCLASS-Auth-389
loadbalance vip inservice
loadbalance policy LB-POLICY-Auth-389
loadbalance vip icmp-reply active
nat dynamic 2 vlan 395
class L4VIPCLASS-Auth-636
loadbalance vip inservice
loadbalance policy LB-POLICY-Auth-636
loadbalance vip icmp-reply active
nat dynamic 2 vlan 395
ssl-proxy server PSERVICE_SERVER
HTH
Cathy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide